Tuesday, July 10, 2007

Back when I started with this whole web design thing I was able to find some scripts to take advantage of some of the check encoding built into credit card numbers. I think we even had a little checksum so we could tell if it was a validly formatted number, but most of all there was a system to the numbering, so we could tell issuer networks apart.

We had to provide this tag for whether the card is Visa, MC, AMEX or whatever to the processing bank, but we could determine that based on looking at the number. I knew this to be true from earlier in my life, so went looking and it was great.

Now, a few years after I get to Sprint I am told this no longer works. Though no one can show me proof, and I don't believe it fully, I'm told that due to the large number of cards issued, that scheme doesn't work so we'll need to ask the customer which card they are using. Its always lame to provide an extra step, but everyone else seems to have done it, so who am I to argue.

Well, its demonstrably not true:

I just recently bought something thru this store with a PayPal checkout scheme. On the left, you see they accept the usual assortment of cards. On the right, after entering my valid card number (that is not it!) it shows which one you have. No user input required. Neat.

I suppose its possible they are using Ajax to actually pre-process the card number, but for a bunch of reasons, I doubt that. I think its parsing the CC number itself on the client side.

Some other time I'll rant about how amazingly poorly the CVV2 code is implemented from a design, usability, comprehension and mostly security point of view. Note that mine was auto-filled by the browser. That's secure.